Add `--no-audit` to default options used ?

[jrfnl]

Prevent audits breaking builds

Composer 2.4.0 introduced a new "Audit" feature, which will run automatically on any composer update, require, remove and create-project.

This audit feature may break builds when security vulnerabilities are found.

The audit feature can be disabled using the --no-audit option - or as of Composer 2.4.1, using the new COMPOSER_NO_AUDIT env variable.

As composer-install already automatically applies typical options like --no-interaction, I was wondering if the --no-audit option should be added to that list of options which are automatically applied.

What do you think ?

Refs:

• https://blog.packagist.com/composer-2-4/
• https://github.com/composer/composer/releases/tag/2.4.1
• https://github.com/composer/composer/pull/10998
• Related issue in setup-php

Alternatives

Rely on people adding the --no-audit flag manually to the composer-options in all their CI scripts.

[jrfnl]

Additional info from @Seldaek as posted in https://github.com/shivammathur/setup-php/issues/635#issuecomment-1221325769:

I am not sure what the best default is here tbh. Just to be clear though:

During updates the audit is will simply output some warning but not fail the build if there is a known vulnerability found.

If you simply run install no audit is done by default.

If you want to fail the build in case vulns are found, then you kinda need to explicitly call the audit command, in which case disabling the auto-audit on update may make sense.